Shulou(Shulou.com)06/02 Report--

NAT network address translation

NAT can not only solve the problem of insufficient IP address, but also effectively avoid the hidden trouble from outside the network, hide and protect the computers inside the network.

1. Broadband sharing: this is the biggest feature of NAT hosts.

two。 Security protection: when the PC in the NAT connects to the Internet, the IP he displays is the public IP of the NAT host, so the PC on the Client certainly has a certain degree of security. When the outside world performs portscan (port scan), the PC on the source Client cannot be detected.

1. The working principle of NAT

Network Address Translation, network address translation

2. NAT implementation

(1) static conversion (Statin Translation)

(2) dynamic conversion (Dynamic Translation)

(3) Port Multiplexing (Port Address Translation,PAT)

3. Advantages and disadvantages of NAT. 1. Advantages of NAT.

(1) Save public legal IP addresses

(2) address overlap

(3) increase flexibility

(4) Security

2. Shortcomings of NAT

(1) delay increases

(2) more complex configuration and maintenance

(3) some applications are not supported and can be avoided by static NAT mapping.

The terminology of NAT is in the conversion table.

NAT address translation is a kind of camouflage to ensure address security.

As shown in the figure:

The first thing PC1 requests is to query the routing table and then convert it to a public network address according to the NAT table to access the external network. Source IP, destination IP, and then the external source IP becomes the public network address.

PC2 first responds by querying the NAT translation table and then querying the routing table to send packets.

In response, if the two interfaces query the routing table first, they will not be able to find them. One interface is 1.0and the other is 125.0.

Internal:

Source IP: inside local address

Destination IP: external local address

External:

Source IP: inside global address

Destination IP: outside global address

4. Translation entries of NAT

(1) simple translation entry (based on IP address)

(2) extended translation entries (based on IP address and port)

5. The working process of NAT

1: the address of your host 10.1.1.12. According to the NAT translation table, you need to manually configure the TCP protocol, using local IP address inside, global IP address inside, and global IP address 3. 5 outside. Destination IP address 4. Visit the extranet 5. The working process of destination IP address and source IP address 6 and PAT

PAT is the translation of multiple private network addresses into a public network address. If there are more ports, the port can be set by itself. 7. Static NAT address experiment diagram

Sw1: turn off routing function, set rate and full-duplex R3: assign IP to interface, configure default route f0/0:12.0.0.2/24f0/1:13.0.0.1/24R2: assign IP to interface, configure default route back, configure static NAT address translation Apply to interface f0/0:12.0.0.1/24f0/1:192.168.100.1/24PC1:192.168.100.10/24PC2:192.168.100.20/247.1, configure rate to switch, full duplex Turn off the routing function sw1#conf tsw1 (config) # no ip routing / / turn off the routing feature sw1 (config) # int f1/0sw1 (config-if) # speed 100 / / rate 100sw1 (config-if) # dup full / / full duplex mode sw1 (config-if) # ex7.2, configure the router R3 interface with a d address Configure the default route R3#conf tR3 (config) # int f0/0R3 (config-if) # ip add 12.0.0.2 255.255.255.0 / configure address R3 (config-if) # no shut / / enable address interface R3 (config-if) # int f0/1R3 (config-if) # ip add 13.0.0.1 255.255.255.0R3 (config-if) # no shutR3 (config-if) # do show ip route / / View routing table entry Codes: C-connected S-static, R-RIP, M-mobile, B-BGP D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2 E1-OSPF external type 1, E2-OSPF external type 2i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2 ia-IS-IS inter area, *-candidate default U-per-user static route o-ODR, P-periodic downloaded static routeGateway of last resort is not set 12.0.0.0 is subnetted, 1 subnetsC 12.0.0.0 is directly connected, FastEthernet0/0 13.0.0.0 is subnetted, 1 subnetsC 13.0.0.0 is directly connected FastEthernet0/1R3 (config-if) # ex R3 (config) # ip route 0.0.0.0 0.0.0.0 12.0.0.1 / / configure default route R3 (config) # 7.3, assign IP to R2 interface Configure the default route back to R2#conf tR2 (config) # int f0/0R2 (config-if) # ip add 192.168.100.1 255.255.255.0 / / configure address R2 (config-if) # no shutR2 (config-if) # int f0/1R2 (config-if) # ip add 12.0.1255.255.255.0 / / configure address R2 (config-if) # exR2 (config) # ip route 0 .0.0.0 0.0.0.0 12.0.0.2R2 (config) # 7.4, Configure each host with the address PC1 > ip 192.168.100.10 192.168.100.1Checking for duplicate address...PC1: 192.168.100.10 255.255.255.0 gateway 192.168.100.1PC2 > ip 192.168.100.20 192.168.100.1Checking for duplicate address...PC1: 192.168.100.20 255.255.255.0 gateway 192.168.100.1PC3 > ip 13.0.0.13 13.0.0.1Checking for duplicate address.. .PC1: 13.0.0.13 255.255.255.0 gateway 13.0.0.17.5 、 Configure R2 with static NAT address translation Apply to interface R2#conf tR2 (config) # ip nat inside source static 192.168.100.10 12.0.0.10 / set static NAT address intranet translation from intranet to extranet R2 (config) # ip nat inside source static 192.168.100.20 12.0.0.20R2 (config) # int f0/0R2 (config-if) # ip nat inside / / set internal R2 (config-if) # int f0/1R2 (config-if) to F0ex0 interface # ip nat outside / / set external R2 (config-if) # endR2#debug ip nat / / to the F0amp1 interface to view the NAT address translation status IP NAT debugging is on8, Static NAT mapping

NAT Port Mapping Protocol (English: NAT Port Mapping Protocol, abbreviated NAT-PMP) is a network protocol that automatically creates network address translation (NAT) settings and port mapping configurations without user intervention. The protocol can automatically determine the external IPv4 address of the NAT gateway and provide a method for the application to communicate with the peer. NAT-PMP was launched by Apple in 2005 as an alternative to the more common ISO standard Internet gateway device protocol (implemented by many NAT routers). The protocol was released by the Internet Engineering Task Force (IETF) in RFC 6886. NAT-PMP uses user Datagram Protocol (UDP) and runs on port 5351. The protocol does not have a built-in authentication mechanism because forwarding a port usually does not allow any activity and cannot be implemented using the STUN method. The advantage of NAT-PMP over STUN is that it does not need a STUN server, and the NAT-PMP map has a known expiration time, so applications can avoid inefficiently sending live packets. NAT-PMP is the predecessor of Port Control Protocol (PCP).

8.1 Experimental figure in the wide area network, if you want to access a private network address, you must have a mapping address. The purpose of the experiment is to enable hosts on the external network to access linux WEB services.

Install the HTTPD service in the linux server and write a web page Self-test [root@localhost ~] # yum install httpd-y / / install the HTTPD service [root@localhost] # vim / var/www/html/index.html / / create files and content under the generation site this is web NAT [root@localhost ~] # systemctl start httpd / / enable the HTTPD service [root@localhost] # systemctl stop firewalld.service / / turn off the firewall [root@localhost ~] # setenforce 0 / / enable enhanced features

8.3.The linux server binds the network card and sets the fixed IP

[root@localhost ~] # vim / etc/sysconfig/network-scripts/ifcfg-ens33TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=static / / set static DEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=849aa04e-1874-490f-8cb0-b2fde4b9a6f8DEVICE=ens33ONBOOT=yesIPADDR=192.168.100.100 / / IP address NETMASK=255.255.255.0 / / subnet mask GATEWAY=192.168.100.1 / / gateway [root@localhost ~] # systemctl restart network / / restart network service [root@ Localhost ~] # ifconfigens33: flags=4163 mtu 1500 inet 192.168.100.100 netmask 255.255.255.0 broadcast 192.168.100.255 inet6 fe80::e3c7:14af:6e4d:7216 prefixlen 64 scopeid 0x20 ether 00:0c:29:c9:dd:05 txqueuelen 1000 (Ethernet) RX packets 4309 bytes 4579244 (4.3MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1123 bytes 96283 (94.0 KiB) 8.4, Bind the network card to the win10

Configure the R1 router to GNS3, configure the interface with the address R1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 12.0.0.1 255.255.255.0R1 (config-if) # no shut8.6, and go back to WIN10 to set the address

8.7. Go back to GNS3 and start configuring port mapping

What does mapping mean? That is, if the extranet wants to access your private network address, it must be mapped, otherwise it is not secure.

R1#conf tR1 (config) # ip nat inside source static tcp 192.168.100.100 80 12.0.100 8080 extendable / / Internal port enables NAT,tcp protocol, IP address plus port, mapping extranet address plus port After that, be sure to add an extended extendable on Interface NVI0, changed state to upR1 (config) # int f0/0R1 (config-if) # ip nat inside / / set to internal R1 (config-if) # int f0/1R1 (config-if) # ip nat outside / / set to external R1 (config-if) # endR1#debug ip nat / / Test start port mapping IP NAT debugging is on8.8, let's go back to a host in the extranet to visit. Http://12.0.0.100:8080/ must add 8080 ports, which is mapped

9. Dynamic NAT address translation

Dynamic NAT means that when the private IP address of the internal network is translated into the public IP address, the IP address pair is uncertain and random, and all private IP addresses authorized to access the Internet can be randomly translated into any specified legal IP address. That is, dynamic translation can occur as long as you specify which internal addresses can be translated and which legal addresses are used as external addresses. Dynamic translation can use multiple sets of legitimate external addresses. When the legal IP address provided by ISP is slightly less than the number of computers within the network. Dynamic conversion can be used.

The purpose of the dynamic NAT experimental diagram is to convert the internal private network into one of several public networks.

9.1. The layer 2 switch turns off the routing function, sets the rate and full-duplex mode sw#conf tsw (config) # no ip routingsw (config) # int f1/0sw (config-if) # speed 100sw (config-if) # dup fullsw (config-if) # ex9.2, and sets the address to the R1 router interface Dynamic NATR1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 12.0.0.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # exR1 (config) # access-list 1 permit 192.168.100.0 0.0.0.255max / define internal allowed network segments It is followed by the reverse code R1 (config) # ip nat pool test 12.0.0.10 12.0.100 netmask 255.255.255.0max / defines the externally translated address paragraph, address range, start and end addresses and subnet mask R1 (config) # ip nat inside source list 1 pool test / / refers to the internal network segment Address pool R1 (config) # int f0/0R1 (config-if) # ip nat inside / / define intranet R1 (config-if) # int f0/1R1 (config-if) # ip nat outside / / define extranet R1 (config-if) # end R1#debug ip nat / / Test enable NATIP NAT debugging is on9.3, Configure each host with the IP address PC1 > ip 192.168.100.10 192.168.100.1Checking for duplicate address...PC1: 192.168.100.10 255.255.255.0 gateway 192.168.100.1PC2 > ip 192.168.100.20 192.168.100.1Checking for duplicate address...PC1: 192.168.100.20 255.255.255.0 gateway 192.168.100.1PC3 > ip 12.0.0.12 12.0.0.1Checking for duplicate address. .. PC1: 12.0.0.12 255.255.255.0 gateway 12.0.0.19.4 、 PC1 and PC2 hosts to test whether there are multiple public network addresses PC1 > ping 12.0.1284 bytes from 12.0.0.12 icmp_seq=1 ttl=63 time=20.944 ms84 bytes from 12.0.0.12 icmp_seq=2 ttl=63 time=18.950 ms84 bytes from 12.0.0.12 icmp_seq=3 ttl=63 time=15.957 ms84 bytes from 12.0.0.12 icmp_seq=4 ttl=63 time=22.452 ms84 bytes from 12.0.0.12 icmp_seq=5 ttl=63 time=19.952 Ms*Mar 100: 19 R1#*Mar 47.327: NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34108 (34108) R1#*Mar 100: 19 R1#*Mar 47.463: NAT*: slots 192.168.100.20-> 12.0.0.11 NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34364 (34364) Mar 34364: 1948.0.11: NAT*: slots 192.168.100.20-> 12.0.0.11-> 192.168.100.20-> 12.0.0.11 NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34620 (34620) Mar 34620 (34620) R1#*Mar 34620: 190.0.11: NAT*: slots 192.168.100.20-> 192.168.100.20-> 12.0.0.11 Mar 12.0.0.12 [15554] * Mar 49.519: NAT*: 12.0.0.12, dice 12.0.0.11-> 192.168.100.20 [15554] * Mar 50.399: NAT: expiring 12.0.0.11 (192.168.100.20) icmp 34876 (34876) R1#*Mar: 190.531: NAT*: slots 192.168.100.20-> 12.0.0.11 NAT*: 12.0.0.12 [15555] * Mar 100: 19expiring 50.543: NAT*: slots 12.0.0.11-> 192.168.100.20 [15555] * Mar 100: 19Mar 51.423: NAT: expiring 12.0.0.11 (192.168.100.20) icmp 35132 (35132) R1 translates 10, PAT translation experiment purpose: to convert all private network addresses into the same public network address

Port Address Translation, port multiplexing (port address translation). By changing the source IP and source port of outbound packets, and port translation, all hosts in the internal network can share a common IP to access the external network, saving IP.

10.1.The layer 2 switch turns off the routing function and configures the rate and full-duplex mode sw#conf tsw (config) # no ip routingsw (config) # int f1/0sw (config-if) # speed 100sw (config-if) # dup full10.2, R2 to configure the interface address Configure PAT address Translation R1#conf tR1 (config) # int f0/0R1 (config-if) # ip add 192.168.100.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # int f0/1R1 (config-if) # ip add 12.0.0.1 255.255.255.0R1 (config-if) # no shutR1 (config-if) # exR1 (config) # access-list 1 permit 192.168.100.0 0.0.0.255 / / define the internal allowed network segments Add reverse code R1 (config) # ip nat inside source list 1 interface fastEthernet 0ram 1 overload// directly refer to the external interface Overlload all extranets R1 (config) # int f0/0R1 (config-if) # ip nat in / / define intranet R1 (config-if) # int f0/1R1 (config-if) # ip nat out / / define extranet R1 (config-if) # endR1#debug ip natIP NAT debugging is on / / Test launch NAT10.3, Configure each host with the IP address PC1 > ip 192.168.100.10 192.168.100.1Checking for duplicate address...PC1: 192.168.100.10 255.255.255.0 gateway 192.168.100.1PC2 > ip 192.168.100.20 192.168.100.1Checking for duplicate address...PC1: 192.168.100.20 255.255.255.0 gateway 192.168.100.1PC3 > ip 12.0.0.12 12.0.0.1Checking for duplicate address. .. PC1: 12.0.0.12 255.255.255.0 gateway 12.0.0.110.4 Test whether the private network address of PC1 and PC2 is accessed by the same public address PC1 > ping 12.0.0.12-t12.0.0.12 icmp_seq=1 timeout84 bytes from 12.0.12 icmp_seq=2 ttl=63 time=20.943 ms84 bytes from 12.0.12 icmp_seq=3 ttl=63 time=17.919 ms84 bytes from 12.0.0.12 icmp_seq=4 ttl=63 time=16 .956 msR1#*Mar 100: 19 04.779: NAT: 192.168.100.10-> 12.0.0.1 Mar 12.0.0.12 [18124] R1#*Mar: 197.807: 192.168.100.10-> 12.0.0.1, NAT*:: 192.168.100.10: 197.807: NAT*:: 192.168.100.10-> 12.0.0.1 R1#*Mar 12.0.0.12 [18126] * Mar 100: 19NAT*: 0.0.12 [18127] * Mar 100: 192.168.100.10 [18126] Mar 100: 192.168.100.10-> 192.168.100.10-> 12.0.0.12 Mar 12.0.0.1-> 192.168.100.10 [18127] R1#*Mar: 199.843: NAT*: slots 192.168.100.10-> 12.0.0.1, dudes 12.0.0.12 [18128] * Mar 100: 19Ze09.847: NAT*: slots 12.0.0.12 Ping 12.0.0.12-> 192.168.100.10 [18128] R1#PC2 > ping 12.0.0.12-t84 bytes from 12.0.0.12 icmp_seq=1 ttl=63 time=29.921 ms84 bytes from 12.0.12 icmp_seq=2 ttl=63 time=16.981 ms84 bytes from 12.0.12 icmp_seq=3 ttl=63 time=15.958 ms84 bytes from 12.0.12 icmp_seq=4 ttl=63 time=23.936 msR1#*Mar 100: 20 icmp_seq=2 ttl=63 time=16.981 ms84 bytes from 28.715: NAT*: slots 192.168.100.20-> 12.0.0.1 NAT*: 12.0.0.12 [18208] * Mar 100: 20 R1#*Mar 28.719: NAT*: 12.0.0.12, dice 12.0.0.1-> 192.168.100.20 [18208] NAT*: 100: 20 NAT*: 12.0.0.12-> 12.0.0.1, dice 12.0.0.12 [18209] * Mar 100: 20 NAT*: 29.739: NAT*: slots 12.0.0.12 NAT*: 12.0.0.1-> 192.168.100.20 [18209] R1#*Mar 100: 20 R1#*Mar 30.751: NAT*: slots 192.168.100.20-> 12.0.0.1, dudes 12.0.0.12 [18210] * Mar 100: 20 Mar 30.759: NAT*: slots 12.0.0.12, dads 12.0.0.1-> 192.168.100.20 [18210] R1#*Mar 100: 20Rd 31.775: NAT*: slots 192.168.100.20-> 12.0.0.1 NAT*: 12.0.0.12 [18211] * NAT*: 12.0.0.12 [18211] > 192.168.100.20 [18211]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.